Embedding Keys in Code: A Bad Idea Just Got Worse

If you need any further justification to avoid embedding AWS credentials in code (hint: you really shouldn’t) – have a look at Truffle Hog. It’s an open source project that searches for keys containing high-entropy strings by crawling commit history and branches at GitHub. In fact, if you have ever received or heard of warnings from AWS themselves around keys and secrets found in code – this might be some of the tooling they use internally.

It’s not the first solution to look for this sort of information. Github themselves introduced a feature nearly four years ago to search for passwords, encryption keys, and more. In addition, Git Hound solves the same problem in a different fashion ; by analyzing commits to GitHub. If offending secrets are identified, you can even configure Git Hound to block the commit.

Secrets embedded in code are bad. Instead of embedding credentials (even for testing), perhaps look to leverage environment variables that you program to hold these keys instead of having them explicitly defined in code.

If you point Truffle Hog at a public repo and get results, there is a high probability that a web spider beat you to it and that your keys are already known to more than just you. What do you do in this case?

If you are a Dome9 IAM Safety customer, you are already protected. IAM Safety protects you against the worst-case scenario, namely that somebody has been able to compromise your account and login using your credentials. IAM Safety adds an additional layer of security by providing a just-in-time and out of band authorization workflow to gain access to the most sensitive operations at AWS.

IAM Safety provides security teams granular control over users, roles and actions, with privilege elevation on an as-needed basis for protected actions. This is accomplished by requiring second-level out-of-band authorization from a mobile device to execute these sensitive actions. The end result is that credential compromise events are no longer catastrophic and your AWS environment will live to see another day!